On Tue, 2019-03-19 at 15:19 +0300, Igor Zhbanov wrote: > On 19.03.2019 14:22, Mimi Zohar wrote: > > On Tue, 2019-03-19 at 10:50 +0300, Igor Zhbanov wrote: > >> Hi Mimi, > >> > >> I guess similar to SELinux function: > > [snip] > > > > Remember IMA relies on LSMs for mandatory access control(MAC). IMA > > measures, audits, and enforces file integrity. > > Yes. But LSM will not check integrity of the file mmaped for read. Nor does > IMA. > Ok, so we can start there and modify the existing ima_file_mmap() to verify file signatures that are being mmap'ed read. The question will then become what to do with mprotect write and execute. > >> The structure vm_area_struct has a pointer vm_file pointing to mapped file > >> so it could be used what file's xattrs to check. > > > > That's fine for when there is a file descriptor, but the file > > descriptor could have been closed. (Refer to the mmap manpage.) > > Can it be checked? > > I think that checking the integrity at least in the case when the file is > still open is better than not checking at all. Because as I said it would > be possible to use mmap+mprotect to bypass IMA for shared libraries checking. And what would you do with the mprotect without a file descriptor? The mmap signature verification status is cached in the iint, based on the inode. I think whatever solution will need to be able to access this cached information. Mimi
